From 06d493a1e9b5ad66cc3fed93f7db33783ef7f797 Mon Sep 17 00:00:00 2001 From: Janette Day Date: Fri, 30 Aug 2024 14:42:46 -0500 Subject: [PATCH] Split off sanitize to a separate method --- modules/common/src/Storage/SelectFactory.php | 13 ++++++++----- .../Controller/QueryDownloadControllerTest.php | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/common/src/Storage/SelectFactory.php b/modules/common/src/Storage/SelectFactory.php index a83dc13ac4..75d1a294a0 100644 --- a/modules/common/src/Storage/SelectFactory.php +++ b/modules/common/src/Storage/SelectFactory.php @@ -104,10 +104,8 @@ private function setQueryProperties(Query $query) { private function addDateExpressions($db_query, $fields, $meta_data) { foreach ($meta_data as $definition) { // Confirm definition name is in the fields list. - $name = $this->dbQuery->escapeField($definition['name']); - $sanitizedName = $fields[$name]['field']; - if ($sanitizedName && $definition['type'] == 'date') { - $db_query->addExpression("DATE_FORMAT(" . $sanitizedName . ", '" . $definition['format'] . "')", $sanitizedName); + if ($fields[$definition['name']]['field'] && $definition['type'] == 'date') { + $db_query->addExpression("DATE_FORMAT(" . $definition['name'] . ", '" . $definition['format'] . "')", $definition['name']); } } } @@ -143,7 +141,7 @@ private function normalizeProperty(mixed $property): object { if (is_string($property) && self::safeProperty($property)) { return (object) [ "collection" => $this->alias, - "property" => $this->dbQuery->escapeField($property), + "property" => $property, "alias" => NULL, ]; } @@ -152,6 +150,10 @@ private function normalizeProperty(mixed $property): object { } // Throw exception if obviously unsafe property name. self::safeProperty($property->property); + return $property; + } + + private function sanitizeProperty(object $property) { // Sanitize the property name. $property->property = $this->dbQuery->escapeField($property->property); $property->alias = isset($property->alias) ? $this->connection->escapeAlias($property->alias) : NULL; @@ -254,6 +256,7 @@ private function normalizeOperand(mixed $operand) { */ private function propertyToString(mixed $property) { $property = $this->normalizeProperty($property); + $property = $this->sanitizeProperty($property); return "{$property->collection}.{$property->property}"; } diff --git a/modules/datastore/tests/src/Functional/Controller/QueryDownloadControllerTest.php b/modules/datastore/tests/src/Functional/Controller/QueryDownloadControllerTest.php index f0c309b532..86b5f8b36a 100644 --- a/modules/datastore/tests/src/Functional/Controller/QueryDownloadControllerTest.php +++ b/modules/datastore/tests/src/Functional/Controller/QueryDownloadControllerTest.php @@ -242,7 +242,7 @@ public function testDownloadWithDataDictionary() { // Header should be using the dictionary title. $this->assertEquals('a,b_title,c,d,e', $lines[0]); - // Set the machine name CSV header mode. + // Set the machine name CSV header mode before the import. $this->config('metastore.settings') ->set('csv_headers_mode', 'machine_names') ->save();